Atlanta’s city hall has given the all-clear for workers to turn systems back on following a ransomware attack that caused issues with certain scheduling and procurement processes.

The Atlanta ransomware attack began early in the morning on March 22 and the FBI, Department of Homeland Security, Microsoft and Cisco were brought in early on to investigate and help the city remediate the issues. The city of Atlanta Twitter account said the government was “experiencing outages on various customer facing applications, including some that customers may use to pay bills or access court-related information.”

Various Twitter updates that followed asserted no customer or employee data had been compromised in the Atlanta ransomware attack and the city’s major infrastructure was not affected, but certain systems such as ticket payment and applications for water service were unavailable.

In a public statement dated March 27, the Atlanta mayor’s office said the recovery process had begun.

“Today, the City of Atlanta is advising its employees to turn on computers and printers for the first time since the March 22 cyberattack,” wrote Anne Torres, director of the Mayor’s Office of Communications, and Nikki Forman, press secretary for the city, in the statement. “It is expected that some computers will operate as usual and employees will return to normal use. It is also expected that some computers may be affected or affected [sic] in some way and employees will continue using manual or alternative processes. This is part of the City’s ongoing assessment as part of the restoration and recovery process.”

Response to the Atlanta ransomware attack

According to Kennesaw State University Professor Andrew Green — who analyzed a screenshot of the ransomware sent to Atlanta NBC affiliate WXIA-TV — the malware used in the Atlanta ransomware attack was in the SamSam family and the threat actors behind the attack were asking for .8 bitcoin per affected system or 6 bitcoin (more than $50,000 as of the time of the attack) for a package decryption deal.

It is still unclear if the city paid the ransom, but Atlanta Mayor Keisha Lance Bottoms described the ransomware as a “hostage situation” in a press conference on the incident on Monday. Bottoms declined to comment on whether the vulnerability exploited to initiate the attack had been patched.

SecureWorks CEO Michael Cote said in the press conference that his company had been brought in to aid in the investigation and had ident1ified the threat actor behind the Atlanta ransomware attack. Cote did not comment on how the attackers gained access to city systems.

City of Atlanta security

Rendition Infosec LLC based in Augusta, Ga. released a report showing the city of Atlanta had poor infosec practices, but did not comment on the recent ransomware attack directly.

According to Rendition research, at least five systems in the Atlanta government were compromised in April 2017 by an attack that used the EternalBlue exploit and Doublepulsar malware, although Rendition said their research “is very likely incomplete” because Doublepulsar disappears after a system reboot.

“This scan data conclusively shows that the city of Atlanta was not patching its internet facing hosts more than a month after critical patches were released by Microsoft. Microsoft released patches on March 14, 2017,” Rendition wrote in a blog post. “Our scan data shows these hosts being vulnerable (and compromised by unknown attackers) on dates spanning from April 23, 2017 to May 1, 2017. After doing some searching for statements from the city or Atlanta, we can’t find any indication that they were aware of this compromise at all.”

Jake Williams, founder and CEO of Rendition Infosec, wrote on Twitter the research undermines the city of Atlanta’s claims that it takes cybersecurity seriously.

Further, one of the servers discovered compromised is https://t.co/CqkcLHUQ8Y. Attackers exploiting this could have potentially stolen all the mail from their servers. This is an obvious PII issue (and may contain PHI data as well). So who knew what when? 3/n

Bob Rudis, chief data scientist for Rapid7, told SearchSecurity that as city governments become more connected, incidents like the Atlanta ransomware attack will be more common because municipalities are “rich targets” for attackers.

“Beyond financial account information and general personally identifiable information (PII), city-related systems and networks can and do contain court and criminal records, tax records, non-public information on police and other protective services employees, department activities/plans and more,” Rudis wrote via email. “Much of this is extremely sensitive data and would be [a] treasure trove of information, capable of being used in a diverse array of disruptive, targeted attacks against both individuals and entire departments.”

Maureen Gray, COO at Blue Ridge Networks, a cybersecurity company headquartered in Chantilly, Va., said “the problem is that government systems have to be accessible to the public.”

The problem is that government systems have to be accessible to the public.Maureen GrayCOO at Blue Ridge Networks

“Government and the private sector simply can’t rely on intrusion detection, attack signatures, and patch management approaches to cyber security anymore. That approach invites the sort of reactive ‘fire drill’ mentality we’re seeing now,” Gray told SearchSecurity. “Government must take a more proactive approach to cyber security by enacting a zero-trust stance. This assumes everything on their systems are already compromised and blocks unacceptable actions.”